ThemeGrill Demo Importer < 1.6.2 - Database Reset

ThemeGrill Demo Importer before 1.6.2 does not require authentication for wiping the database due to a reset_wizard_actions hook. In versions 1.3.4 and above and versions 1.6.1 and below, there is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator.

• https://www.openwall.com/lists/oss-security/2020/02/19/1
• https://nvd.nist.gov/vuln/detail/CVE-2020-36333